Re: Active-content filtering (was RE: Buffer Overruns)

[Crispin Cowan <crispin () cse ogi edu>]

Dorian Moore wrote:

> Ultimately users need to understand that what they are downloading from
> a site isn't just information, but is also potentially a program which
> affects how their system works - and can have a negative effect on their
> system.

Ultimately what I want designers to understand that some users will choose *not* to
download the program part.  If the web site does not work without the program part,
then it is *broken*.  It is as badly broken as it is if it *only* works on IE or
only on Netscape.


> In the same way users have to be educated that files that they
> are emailed, or files that they received on
> zip/floppy/syquest/dat/memory stick or any other transfer format, can be
> bad as well as good. I think its a good state for mankind to have (in
> general) trust in what goes on around them ... if it wasn't for those
> pesky kids.

If we succeed in educating users about this danger, then most of them will turn it
off most of the time, and as a result most of the web sites that depend on scripting
for functionality will be revealed to be broken.


> client side scripting has been a race forced by consumer and commercial
> desire (with a bit of microsoft vs netscape competition thrown in for
> good measure).

I actually think it was the opposite.  Scripting was introduced mostly through MS
vs. NS competition, and customer demand appeared only after the shiny blinking
lights were waved in front of the customers.  Blinking lights WITHOUT benefit of a
"surgeon general's warning" :-(


> As a developer within that field I often argue away from
> the use of these technologies :

Excellent!  My favorite kind of designer.


> but ultimately the people want it, and

*Executives* want it.  Perhaps that is where we should place our emphasis:
educating executive decision makers on the serious downside to mandating lots of
blinkin lights.


> I think you've got a confusued issue here. The new york times is a
> website providing content for free, that they have to spend time and

No, the NYT provides content for free because of the advertising revenue they get
from the hit counts and click throughs.  When a user browses nyt.com, they are
bartering the "free" content for the "free" attention span spent on the banners.  It
is a very mercantile exchange, and therefore the browser is a customer of the Times,
even if they did not pay in cash.  As such, customers are entitled to bitch about
the poor quality of the product, including bogus scripting requirements.

Crispin
-----
Crispin Cowan, CTO, WireX Communications, Inc.    http://wirex.com
Free Hardened Linux Distribution:                 http://immunix.org